Zoom – Is That The Sound Of Your Security Disappearing?
Many organisations have had to adapt very quickly to the rapidly changing restrictions brought in across the globe to help combat the spread of COVID-19 and, in a lot of cases, this has meant that the majority, if not all staff, rapidly transitioned to working from home. And because most business continuity plans didn’t consider the current situation, where you couldn’t simply move your workers to a different office or location, a number of organisations hadn’t fully considered communication and collaboration when enabling staff to meet and work remotely.
In the wake of this, many organisations turned to online video conferencing services and in the drive to implement a solution quickly, failed to effectively (if at all) vet these services before using them. One such service that seems to have gained the most attention (for reasons that are still unclear) is Zoom. Zoom offers multi-person video conferencing with lots of associated services, such as screen-sharing, text chat and document sharing, all of which are very similar to the myriad of other platforms available. So, if you are included within the 200 million daily meeting participants using Zoom services, as opposed to the MOD who have banned the application, you will no doubt be interested to know why Zoom has received so much negative press.
Once Zoom gained significant popularity, many security researchers started taking a closer look, which is often the case when a particular product suddenly spikes in usage. The reason the security researchers became so interested is, in short, because hackers will. Malicious actors will always target the most popular platform, as it offers them the best chance of success. And, as you may have noticed due to a number of online sources, it turns out Zoom was probably going a bit to fast when it came to security design.
So, what exactly has been discovered about Zoom and its security flaws? Well, Zoom claims, within its marketing material, that meetings are end-to-end encrypted. However, it seems that what it meant by end-to-end encryption is different to what the accepted definition of that term is and, in reality, the meeting is only encrypted as far as the Zoom servers. This ultimately means that Zoom has the ability to ‘snoop’ on the video and audio from the meeting and, whilst they say they don’t, are you happy to trust them with your privacy? If end-to-end encryption had been established, then only the participants would have access to the data.
And, on the topic of privacy, because Zoom has been using Facebook’s software development kit (which is not unusual for modern developers to do) the Zoom application will be sending large amounts of data about its users to Facebook, as this is a condition of using the Facebook software development kit. The issue here is not so much that Zoom is sharing this data with Facebook, it is the fact that Zoom never disclosed this data sharing to customers.
Add to this the fact that Zoom has some features that raise a few eyebrows from privacy and security concerned individuals, such as allowing the meeting host to see if attendees have the window minimised or not, and that Zoom administrators have some extraordinary capabilities including being able to access the content of all recorded calls, view detailed specifications of attendees’ computers or join any current meeting without consent or warning.
This all underlines why the information security community is of the opinion that using Zoom presents some serious risks to your organisation’s data privacy and security. Risks which need to be carefully assessed before such a product is let loose on your staff and systems. The reality is, that if your organisation is now making extensive use of a new video conferencing platform or service that it previously used only occasionally, you really need to do a thorough investigation of its security and privacy details before deciding whether it is safe and sensible to use. In light of this and the current situation, many organisations are now learning that their business continuity plans aren’t as robust as they thought.